A Cryptographic Moving-Knife Cake- Cutting Protocol 



Yoshifumi Manabe 

NTT Communication Science Laboratories, 2-4 Hikaridai, Seika-cho, Kyoto 619-0237 Japan 
manabe .yoshifumiOlab.ntt .co.jp 

Tatsuaki Okamoto 

NTT Information Sharing Platform Laboratories, 3-9-11, Midori-cho, Musashino-shi, 180-8585 Japan 

okamoto . tatsuaki@lab.ntt .co.jp 

This paper proposes a cake-cutting protocol using cryptography when the cake is a heterogeneous 
good that is represented by an interval on a real line. Although the Dubins-Spanier moving-knife pro- 
tocol with one knife achieves simple fairness, all players must execute the protocol synchronously. 
Thus, the protocol cannot be executed on asynchronous networks such as the Internet. We show 
that the moving-knife protocol can be executed asynchronously by a discrete protocol using a se- 
cure auction protocol. The number of cuts is n — 1 where n is the number of players, which is the 
minimum. 

1 Introduction 

Cake-cutting is an old problem in game theory llllTSl. It can be employed for such purposes as dividing 
territory of a conquered island or assigning jobs to members of a group. 

This paper discusses achieving a moving-knife protocol using cryptography in cake-cutting when the 
cake is a heterogeneous good that is represented by an interval, [0, 1], on a real line. 

The moving-knife protocol is a common technique for achieving fair cake-cutting. The trusted third 
party (TTP) or one of the players moves a knife on the cake. Every player watches the movement and 
calls 'stop' when the knife comes to some specific point that is desirable for the player. Cake is cut at 
the points the calls are made. Many protocols that use one or more knives were shown to achieve some 
desirable property such as exact division [2|. 

The simplest moving -knife protocol using one knife was proposed by Dubins and Spanier ||5l. The 
protocol achieves simple-fairness and it is truthful. 

Moving-knife protocols have several disadvantages. First, all players must watch the knife movement 
simultaneously, thus moving-knife protocols cannot be executed on networks such as the Internet, in 
which transmission delays cannot be avoided. In addition, moving knives means cutting the cake at an 
infinite number of places, thus it is considered to be inefficient. 

Many discrete protocols have been proposed that achieve simple fairness ||8l[T0l[T6l[T8l[T9|. Several 
different models were proposed that concern the allowed types of primitives. The simplest model is just 
minimizing the number of cuts. Then, Robertson- Webb model was proposed |[T5l . In the model, 'cut' 
and 'eval' operations are allowed. The complexity of the protocol is given by the total number of the two 
operations. 

However, the cake-cutting problem when applied to the simplest model has not yet been completely 
solved. Discrete versions of the Dubins-Spanier moving-knife protocol considered in ||7][T8l are not 
truthful. 
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Cryptography is not commonly used in cake-cutting protocols. A commitment protocol 131 is used in 
meta-envy-free cake-cutting protocols fTT\ for multiple parties to declare simultaneously their respective 
private values. Complicated cryptographic protocols have not been used for cake-cutting protocols so 
far. 

1.1 Our result 

We show a cryptographic cake-cutting protocol that achieves simple fairness with the minimum number 
of cuts. We use a secure auction protocol that calculates the maximum bid and the winning player while 
hiding the bid of each player. The protocol output is the same as that of Dubins-Spanier moving-knife 
protocol. The protocol achieves simple fairness and it is truthful. 

2 Preliminaries 

Throughout the paper, the cake is a heterogeneous good that is represented by interval [0, 1] on a real 
line. Each player P, has a utihty function, /x,, that has the following three properties. 

1. For any interval X C [0, 1] whose size is not empty, /i,(X) > 0. 

2. For any Xi and X2 such that Xi 0X2 = 0, = mK^i) + MXi). 

3. AtK[0,l]) = l- 

The tuple of the utihty function of Pi {i = \,... ,n) is denoted as (/ii, . . . Utihty functions might 
differ among players. No player has knowledge of the utility of the other players. 

An ?i-player cake-cutting protocol, /, assigns several portions of [0, 1] to the players such that every 
portion of [0, 1] is assigned to one player. We denote fi{pL\_,. ■ ■ ,pLn) as the set of portions assigned to 
player Pt by /, when the tuple of the utility function is (/ii , . . . , 

All players are risk-averse, namely they avoid gambling. They try to maximize the worst case utility 
they can obtain. 

A desirable property for cake-cutting protocols is truthfulness. A protocol is truthful if there is no 
incentive for any player to lie about his utility function. If a player obtains more utility by declaring a false 
value, the protocol is not robust. For example, consider the simplest cake-cutting protocol 'divide-and- 
choose.' In this protocol. Divider first cuts the cake into two pieces [0,^:] and [jc, 1], such that /i([0,a']) = 
jU([;c, 1]) = 1/2 for Divider. Chooser selects the piece she prefers. Divider obtains the remaining piece. 
Since the utility function of Divider is unknown to Chooser, Divider can lie about his utility function and 
cut the cake as [0,/] and [x' , 1], for any x'{^ x). In this case. Chooser might select the piece such that 
the utility for Divider is more than half and Divider might obtain less than half. Thus, the risk-averse 
Divider obeys the rule of the protocol and cuts the cake in half. 'Divide-and-choose' is thus truthful for 
risk-averse players. 

Several desirable properties of cake-cutting protocols have been defined ifTSll . Simple fairness, which 
is the most fundamental one, is defined as follows. 
For any ;U,(/,(/Xi, . . . ,;U„)) > l/?i. 

This paper discusses simple-fair cake-cutting protocols. One of the other types of the desirable 
property is the social surplus, that is, the total utilities the players obtain. For two protocol / and /' 
which has the same properties (for example, both truthful and simple fair), / is better than /' in the sense 

of social surplus iil!i=\ l^iiMl^i,- • • > I"=i l^iifl (Mb • • • 

Several kinds of complexity models of discrete cake-cutting problems are defined. The simplest 
model is that the complexity is the total number of cuts. This model is further divided into two categories. 
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• Cut-and-calculate model: Any operation that uses the utility function of each player is possible 
other than cutting. 

• Cut-only model: No operation other than cutting is allowed. Thus, the utility of player Pi can be 
known only by P, performing a cut. 

Another model called the Robertson-Webb model is introduced. The operations are restricted to the 
following two types in the model. 

• Cuti{I, a): Player Pi cuts interval / = [xi ,X2] such that ;U,([xi ,3^]) = a/i,(/), where < a < 1. 

• Evali{I): Player Pi evaluates interval / = [xi,X2], which is one of the cuts previously performed 
using the protocol. Pi returns 

The complexity of the Robertson- Webb model is defined as follows. 

• Robertson-Webb cut-complexity model: The complexity is measured by the number of cuts. That 
is, evaluation queries can be issued for free. 

• Robertson- Webb cut-and-query-complexity model: The complexity is measured by the total num- 
ber of cuts and queries. 

For the cut-only model, when the number of players is n = 3, the minimum number of cuts for simple- 
fair division is three ifTSl . When n = 4, the minimum number of cuts is four ||8l. For a general number 
of players, the Divide and Conquer protocol ||8J achieves l+nk — 2'' cuts, where k = [log2wJ lfT4l . The 
lower bound of the cut-only model is Q.{n\ogn) Pl. 

For the Robertson-Webb cut-and-query-complexity model, the lower bound is D.{nlogn) (TT\ . Ed- 
monds and Pruhs extended the D.{n\ogn) lower bound to the cases when a player obtains a union of 
intervals and approximate fairness is achieved 0. 

3 Dubins-Spanier moving-knife protocol 

This section outlines the Dubins-Spanier moving-knife protocol HI shown in Fig. [T] 
1: begin 

2: Let k-^n and x 1 . 
3: repeat 

4: The TTP moves the knife from x toward 0. Let y be the current position of the knife. 
5: Player P,- calls 'stop' if }Jii{\y,x]) = }ii{[Q,x])/k. 

6: The TTP immediately stops moving the knife when 'stop' is called. Let x' be the point of the 

knife when 'stop' is called. 
7: The TTP cuts the cake at x' . The player who said 'stop' obtains the piece [x',x] and exits the 

protocol. 
8: Let ^ — 1 and X x'. 
9: until k = 1 

10: The remaining player obtains the rest of the cake ([0,x]). 
11: end. 

Figure 1 : Dubins-Spanier moving-knife protocol 

When the number of remaining players is k and the remaining cake is [0,x], each remaining player 
Pi calls 'stop' if the knife comes to point y which satisfies /x, ([3',x]) = /i,([0,x])//:, that is, the value of 
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piece \y,x] is 1 /k of the remaining cake. The first player who calls 'stop' obtains piece \y,x\ and exits the 
protocol. The remaining players continue the same procedure for the remaining cake [0,y]. 

Each player obtains at least l/n based on the utility function of the player, thus simple-fairness is 
achieved. 

In addition, the protocol is truthful for risk-averse players. Consider the case when player Pi tells a lie. 
Assume that the number of current remaining players is k. Let the remaining players be Pi,Pi+\ ,Pi+k-\ 
and the remaining cake be [0,x]. The actual place that P, to call 'stop' is Xj, that is, /X;([x,-,x]) = 



If Pi calls 'stop' earlier than x,-. Pi obtains less than /i, ([0,x])/^ and the result is worse than telling the 
truth. 

If Pi does not call 'stop' even if the knife comes to x,, player might call 'stop' at x, — e. The 
remaining piece is [0,x; — e] and /x,([0,x,- — £\)<{k— l)/Xj([0,x])/fc. Let x,+i = x,- — e. After that, player 
PjU = i + 2, / + 3, . . . , / + ^ — 1) calls 'stop' at point xj such that /x,([xy,Xj_i]) = /i;([0,x])/L If Pi calls 
'stop' before Xj{j > /+ 1), Pi obtains less than /i,([0,x])//:. If P,- does not call 'stop' and obtains the last 
remaining piece [0,x,+/;_i], the utility of P,-, /X;([0,x;+yt_i]), is less than jLt;([0,x])//:. Therefore, not calling 
'stop' at the true point can be worse than telling the truth. 

Note that the moving-knife protocol is not a discrete protocol. A protocol is presented by Endriss Q 
shown in Fig. |2]that makes the protocol discrete. 

1: begin 

2: Let k -^n and x 1 . 

3: repeat 

4: Each player P,- declares point x,- such that /x, ( [x, , x] ) = /x, ( [0, x] ) /^. 
5: Let x' be the maximum of x^s. Let P, be the player who called x'. 
6: Pi obtains piece [x',x] and exits the protocol. 
7: Letk^k — landx^x'. 

8: until k = \ 

9: The remaining player obtains the rest of the cake ([0,x]). 

10: end. 



It seems that this protocol is the same as the Dubins-Spanier moving-knife protocol, but it is actually 
not. In this protocol, all players know the cut point of the other players. The cut point information can 
offer a hint to a player and the player can obtain more utility by behaving dishonestly. Suppose that k = 3 
and the density functions for the utility of the players are as follows. 



M,-([o,x])A- 



Figure 2: Endriss protocol 




"2(Z) = 1(0<Z< 1) 




The utility of P,- for [x,y], /i,([x,y]), is calculated by Ui{z)dz- Since /q Ui{z)dz = 1(/ = 1,2,3), these 
density functions satisfy the conditions of the utility functions. 
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At the first round, each player declares ci = 5/6, C2 = 2/3, and C3 = 1 /3, since fy^ui{z)dz = 1/3, 

J2pU2{z)dz = 1/3, and flpu^{z)dz = 1/3. Since 5/6 > 2/3 > 1/3, Pi obtains [5/6,1] and exits the 
protocol. The next round is performed by P2 and P3 with the remaining cake [0,5/6]. The honest 
declaration, Cj, at the next round by P2 is 5/12, since J^I^^U2{z)dz =1/2 Jq^^ U2{z)dz = 5/12. Since 

Ji(^4gUj{z)dz = 1/2 Jq^^ uj{z.)dz, P3 will declare 11/48 as the cut point C3 , for the next round. 

Although P2 cannot know C3 in advance, it knows that C3 < C3 is satisfied for any utility function. 
Thus, P2 can declare a false value 1 /3(= C3), instead of the true value of 5/12 as Cj, if P2 knows that the 
declared value by Pj in previous round is C3. When P2 declares false value 1/3, P2 wins in this round and 
obtains [1/3,5/6]. The utility of P2 is 1 / 2, which is larger than utility 5/12 when P2 declares the true cut 
point, 5/12. 

Thus knowledge of the declared values of other players destroys the truthful characteristic of the 
protocol. The trimming protocol [18], which also achieves simple-fair by a discrete protocol, has the 
same problem about truthfulness, since a player might be able to know all other players' cut points in the 
previous round. 

Sgall and Woeginger showed a protocol in which the number of cuts is n — 1, shown in Fig. [3l 
1: begin 

2: Each player, simultaneously declares n — l points Xij{l < j <n — I) such that /^;([x; y,x,j+i]) = 

1 /«(0 <j<n-l) (Note that Xifl = and ;c,> = 1). 
3: Letj^O. 
4: for = 1 to « — 1 do 
5: begin 

6: Let z <r- min;<;,-,;t, where the minimum is taken among the remaining players. 
7: Let Pj be the player who declares z- 
8: Pj obtains [y,z] and exits the protocol. 
9: Let y ■(^z. 
10: end 

11: The remaining player obtains the rest of the cake ([j, 1]). 
12: end. 

Figure 3: Sgall-Woeginger protocol 

This protocol achieves simple fairness. When^ = 1, player who obtains piece [0,z] satisfies z = ;c/.i, 
thus /i,([0,a;,- 1]) = l/n. Next consider the case ^ > 1. If player Pj obtains [y,Jc, ,t] in the ^-th round, Pj could 
not obtain its piece in the previous round. Thus, y < Xj^k-\ is satisfied for for any currently remaining 
player P; at line 6 and Hi{\y,xa]) > At,([-^a-i ,-x,-,i]) = l/«- 

Since all players declare their cut points simultaneously, no player can know the other players' cut 
points in advance. Thus, telling a false value such as in the Endriss protocol is not effective in this 
protocol. 

The assignment result differs from the one of original Dubins-Spanier moving-knife protocol. In the 
moving-knife protocol, when P,- exits in the first round with obtaining [x, 1], each of the remaining player 
Pj obtains at least /Xy([0,x])/ {n— 1), which is greater than l/n. Since Pj did not win in the first round, 
IJ.j{[x, 1]) < l/n, thus /iy([0,x]) > {n — l)/n. Therefore, from the second round, the cake is more than 
(« — l)/?i for the remaining players. The other rounds have the same characteristic. If a player exits with 
a "smaH"(in the other players' view) portion of the cake, all of the remaining players obtains more utility. 
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On the other hand, in the Sgall-Woeginger protocol, when a player exits with a "small" portion of 
the cake, the extra part of the cake is automatically assigned to the next round's winner. For example. 
Pi wins in the first round and obtains [0,^;] and exits, remaining player Pj thinks that the remaining cake 
is {n —!)/« + iJ.j{[x,Xj,i]), where iJ.j{[0,Xjj]) = 1 /n. In the next round, the player P^ wins whose Xk,2 is 
smallest among the remaining players, but the value of the extra part iJ.ki[x,Xk,i]) might not large among 
the remaining players. 

In Dubins-Spanier moving-knife protocol, next round call is done for all of the remaining cake, thus 
the extra part (such as [jc,jCy i]) is also considered by the remaining players. Next round winner is the 
player who values the highest to the extra part of the remaining cake. The next round winner is satisfied 
with a relatively 'small' portion of the cake because of the extra part, thus the next round remaining 
cake can be larger than in the Sgall-Woeginger protocol. Thus, in the view of the social surplus, the 
Dubins-Spanier moving knife is more desirable than Sgall-Woeginger protocol. 

4 Cryptographic moving-knife protocol 

The important characteristics of the Dubins-Spanier moving-knife protocol are that (1) the declaration is 
done round by round and (2) when a player P calls 'stop', no player knows the other remaining players' 
cut points because the knife is moving so that the size of the cutting piece increases. 

Because of the first characteristic, the social surplus is better than Sgall-Woeginger protocol. Because 
of the second characteristic, every player does not know the previous round cut point information of the 
other remaining players. 

The simplest solution to keep the protocol truthful and make the protocol discrete would be to have 
a TTP. In each round, every remaining player privately sends its cut point to the TTP. The TTP decides 
the largest value and the player who gave the maximum value from the cut point information. 

However, it might be difficult to have such a TTP. There might be collusion between a player and the 
TTP. The TTP might send the player cut point information to the colluding player. 

In order to address this problem, we introduce a secure auction protocol. Secure auction protocols 
have been proposed in cryptography theory |[T][TTl[T3l. They are outlined as follows. 

• Player P,- generates its share of public key and secret key, {PKi,SKi) of a homomorphic encryption 
scheme. 

Pi broadcasts PKi and the public encryption key PK is calculated by any player from {PK\ , PK^ ) . 
SKi is the private key of Pi for decryption. 

Any player can execute encryption procedure Enc using PK. The ciphertext obtained by executing 
Enc on plaintext m is Enc{PK,m). 

If Pi, . . . ,Pn jointly execute decryption procedure Dec with their private keys SKi,. . . ,SK„, they 
can decrypt Enc{PK,m) and obtain m. That is, Dec{Enc{PK,m),SKi, . . . ,SKn) = m. Note that the 
decryption can be performed without revealing the value of SKi to any other players. 

For any set of players whose size is less than n, they cannot decrypt Enc{PK,m) by themselves. 

• Pi encrypts his bid bi using the pubUc key, that is, P, calculates c, = Enc{PK,bi). 

• Pi, . . . ,P„ joindy calculates bmax = max(&i, . ..,b„) and player Pj who bids bmax from ci, . . . ,c„ 
without directly decrypting ci , . . . ,c„ using the homomorphic property. 

• During execution of the secure auction protocol, each player gives a zero-knowledge proof 191 that 
the player acts correctly. The proof can be verified by any other player. 
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The correctness of the obtained highest bid and the winner player is also given as a zero-knowledge 
proof. The proof can be verified by any player. That is, no player can deny its bid afterwards. 

The details are shown in ||T][TT][T3]. Secure auction protocols use a homomorphic encryption, in 
which addition of encrypted values can be accomplished without decrypting them. Homomorphic en- 
cryption has the following properties. 

• There exists polynomial time computable operation and as follows. For any two ciphertext 

ci = Enc{PK,mi) and C2 = Enc{PK,m2), ci (8'C2 € Enc{PK,mi +1112). 
For any ciphertext c = Enc{PK,m), c^' G Enc{PK, —m). 

• The encryption is semantically secure, that is, the advantage of the adversary for the following 
game is negligible. 

The adversary obtains all PA','s and all S'^/'s except for some SKj. First, the adversary can repeat- 
edly obtain Dec{SK,c) for any ciphertext c that it selects. It then outputs two plaintext mo, mi. 
Challenger randomly selects bit b {0,1} and c = Enc{PK,mt,) is given to the adversary. 
Then the adversary outputs b'. It wins ifb = b' 
The advantage of the adversary is Pr[b = b'] — 1/2. 

The first property is calculating sum of two ciphertexts without decrypting them. Using the homomor- 
phic characteristics, it is possible to compare multiple bids without decrypting them, that is, they can 
obtain C = Enc{PK,ma.x{bi, . ■■ ,b„)) from ci, . . . ,c„. They jointly decrypt C and obtain the maximum 
bid without knowing each bid. In some secure auction protocol llT3l . another type of homomorphic 
encryption scheme is used in which multiplication of two ciphertexts are also possible. 

The second property means that no player can obtain information of the plaintext from a given ci- 
phertext if at least one of the secret keys is unknown. 

The moving-knife protocol using a secure auction protocol is shown in Fig. ID In auction protocols, 
the bids are considered to be an integer. Thus, we convert cake [0, 1] to [0,2'"] for some large integer m 
and each player must bid an integer value for the cutting point. Note that m must be large enough such 
that for any player Pi and any c G [0,1], jUi([[c • 2™J/2'",c]) is negligible, that is, bidding integer values is 
not a bad approximation. 

1: begin 

2: Letk^n,x^2"\ 

3: repeat 

4: Pj decides Xi such that /x,- ( [x,- , x] ) = /x,- ( [0, x] ) //c. 

5: Pj encrypts Xi and broadcasts it. 

6: All players execute a secure auction protocol together and obtain maximum bid c and player P 
who bids c. 

7: [c,x] is marked as the piece for P and P cannot bid any more. 

8: Let jc c, ^ ^ ^ — 1. 

9: until A: = 1. 

10: [0,x\ is marked as the piece for the remaining player and every player obtains his/her piece. 

11: end. 

Figure 4: Cryptographic moving-knife protocol. 

This protocol achieves simple fairness. The protocol is asynchronous, that is, no two events in this 
protocol need to be executed simultaneously. The number of cuts isn — l, which is the minimum. 
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A difference between the Dubins-Spanier moving-knife protocol and this protocol is that no player 
exits the protocol during the execution. If a player exits, the set of players who execute the secure auction 
protocol changes in each round. Changing the set of players requires that the keys be re-generated for the 
secure auction protocol, thus the protocol would be inefficient. Therefore, the set of players is unchanged 
in this protocol. However, if a player obtains a piece, the player has no incentive to execute the secure 
auction protocol honestly any more. Thus, in the proposed protocol, the pieces are actually assigned to 
the players at the end of the protocol. During the execution of the secure auction protocol, each player 
presents a proof that the player executes the protocol correctly. If a player misbehaves, it is detected by 
verifying the proof and the player does not obtain the piece marked for the player. This assignment at 
the end of the protocol must also be done without TTP. If this protocol is executed just once, there is 
no way to prevent a player from misbehaving. If this protocol is executed multiple times or some other 
protocol will be executed among the same players, there is a record of the proof that a player misbehaved 
in this execution of the protocol, and the player will be rejected from joining another protocol or another 
execution of this protocol. If a player wants not to be rejected, the player has an incentive to act correctly. 

Theorem 1. The protocol in Fig. truthful for risk-averse players and simple fair. The number of cuts 
is minimum. 

Proof. These properties are achieved because the assignment is exactly the same as the Dubins-Spanier 
moving-knife protocol. □ 

5 Conclusion 

This paper proposed a cryptographic cake-cutting protocol. The protocol is discrete and truthful It 
achieves simple fairness with the minimum number of cuts. 

Further study will include the use of cryptography in other cake-cutting protocols. 
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